In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "binary_name": "redmine", "binary_version": "3.4.2-1" }, { "binary_name": "redmine-mysql", "binary_version": "3.4.2-1" }, { "binary_name": "redmine-pgsql", "binary_version": "3.4.2-1" }, { "binary_name": "redmine-sqlite", "binary_version": "3.4.2-1" } ] }